telegram-crawler/data/web/blogfork.telegram.org/api/pfs.html

<!DOCTYPE html>
<html class="">
  <head>
    <meta charset="utf-8">
    <title>Perfect Forward Secrecy</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta property="description" content="Binding temporary authorization key to permanent ones.">
    <meta property="og:title" content="Perfect Forward Secrecy">
    <meta property="og:image" content="a2b9f721d645a85533">
    <meta property="og:description" content="Binding temporary authorization key to permanent ones.">
    <link rel="icon" type="image/svg+xml" href="/img/website_icon.svg?4">
<link rel="apple-touch-icon" sizes="180x180" href="/img/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="/img/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/img/favicon-16x16.png">
<link rel="alternate icon" href="/img/favicon.ico" type="image/x-icon" />
    <link href="/css/bootstrap.min.css?3" rel="stylesheet">
    
    <link href="/css/telegram.css?236" rel="stylesheet" media="screen">
    <style>
    </style>
  </head>
  <body class="preload">
    <div class="dev_page_wrap">
      <div class="dev_page_head navbar navbar-static-top navbar-tg">
        <div class="navbar-inner">
          <div class="container clearfix">
            <ul class="nav navbar-nav navbar-right hidden-xs"><li class="navbar-twitter"><a href="https://twitter.com/telegram" target="_blank" data-track="Follow/Twitter" onclick="trackDlClick(this, event)"><i class="icon icon-twitter"></i><span> Twitter</span></a></li></ul>
            <ul class="nav navbar-nav">
              <li><a href="//telegram.org/">Home</a></li>
<li class="hidden-xs"><a href="//telegram.org/faq">FAQ</a></li>
<li class="hidden-xs"><a href="//telegram.org/apps">Apps</a></li>
<li class="active"><a href="/api">API</a></li>
<li class=""><a href="/mtproto">Protocol</a></li>
<li class=""><a href="/schema">Schema</a></li>
            </ul>
          </div>
        </div>
      </div>
      <div class="container clearfix">
        <div class="dev_page">
          <div id="dev_page_content_wrap" class=" ">
  <div class="dev_page_bread_crumbs"><ul class="breadcrumb clearfix"><li><a  href="/api" >API</a></li><i class="icon icon-breadcrumb-divider"></i><li><a  href="/api/pfs" >Perfect Forward Secrecy</a></li></ul></div>
  <h1 id="dev_page_title">Perfect Forward Secrecy</h1>
  
  <div id="dev_page_content"><h5><a class="anchor" name="related-articles" href="#related-articles"><i class="anchor-icon"></i></a>Related articles</h5>
<p><div class="dev_page_nav_wrap"></p>
<ul>
<li><a href="/api/end-to-end/pfs">Perfect Forward Secrecy in Secret Chats</a></li>
<li><a href="/mtproto/security_guidelines">Security guidelines for developers</a></li>
</ul>
<p></div></p>
<blockquote>
<p><em>This article is about Perfect Forward Secrecy in cloud chats, see also <a href="/api/end-to-end/pfs">PFS in Secret Chats</a>.</em></p>
</blockquote>
<hr>
<p>Telegram supports Perfect Forward Secrecy (PFS).</p>
<p>To make this possible, the client generates a permanent authorization key using <strong>p_q_inner_data</strong> and a temporary key using <strong>p_q_inner_data_temp</strong>. (See <a href="/mtproto/auth_key">Creating an Authorization Key</a> for more info.) These 2 operations may be done in parallel using different connections. The client must save an <strong>expires_at</strong> unix timestamp <code>expires_at = time + expires_in</code>.</p>
<p><strong>Important</strong>: in order to achieve PFS, the client must <strong>never</strong> use the permanent auth_key_id directly. Every message that is sent to MTProto, must be encrypted by a <strong>temp_auth_key_id</strong>, that was bound to the <strong>perm_auth_key_id</strong>.</p>
<p>An unbound <strong>temp_auth_key_id</strong> may only be used with the following methods:</p>
<ul>
<li><a href="/method/auth.bindTempAuthKey">auth.bindTempAuthKey</a></li>
<li><a href="/method/help.getConfig">help.getConfig</a></li>
<li><a href="/method/help.getNearestDc">help.getNearestDc</a></li>
</ul>
<p>In order to bind a temporary authorization key to the permanent key the client creates a <a href="/method/auth.bindTempAuthKey#binding-message-contents">special binding message</a> and executes the <a href="/method/auth.bindTempAuthKey">auth.bindTempAuthKey</a> method using <strong>temp_auth_key</strong>. Once <strong>auth.bindTempAuthKey</strong> has been executed successfully, the client may continue using the API as usual; the client must also <a href="/api/invoking#saving-client-info">rewrite client info</a> using <a href="/method/initConnection">initConnection</a> after each binding. Each permanent key may only be bound to <strong>one</strong> temporary key at a time, binding a new temporary key overwrites the previous one.</p>
<p>Once the temporary key expires, the client needs to generate a new temporary key using <strong>p_q_inner_data_temp</strong>. Then it needs to re-bind that new temporary key to the initial permanent key. A new key can also be generated in advance, so that the client has a new key ready by the time the old one has expired.</p>
<p>For additional security, the client can store the temporary authorization key in RAM only and never save it in persistent storage.</p>
<p>A temporary authorization key may expire at any moment before <strong>expires_at</strong>, since such keys are also stored only in the RAM on the server-side. Be prepared to handle resulting MTProto errors correctly (non-existent auth_key_id results in a 404 error).</p>
</div>
  
</div>
          
        </div>
      </div>
      <div class="footer_wrap">
  <div class="footer_columns_wrap footer_desktop">
    <div class="footer_column footer_column_telegram">
      <h5>Telegram</h5>
      <div class="footer_telegram_description"></div>
      Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.
    </div>

    <div class="footer_column">
      <h5><a href="//telegram.org/faq">About</a></h5>
      <ul>
        <li><a href="//telegram.org/faq">FAQ</a></li>
        <li><a href="//telegram.org/privacy">Privacy</a></li>
        <li><a href="//telegram.org/press">Press</a></li>
      </ul>
    </div>
    <div class="footer_column">
      <h5><a href="//telegram.org/apps#mobile-apps">Mobile Apps</a></h5>
      <ul>
        <li><a href="//telegram.org/dl/ios">iPhone/iPad</a></li>
        <li><a href="//telegram.org/android">Android</a></li>
        <li><a href="//telegram.org/dl/web">Mobile Web</a></li>
      </ul>
    </div>
    <div class="footer_column">
      <h5><a href="//telegram.org/apps#desktop-apps">Desktop Apps</a></h5>
      <ul>
        <li><a href="//desktop.telegram.org/">PC/Mac/Linux</a></li>
        <li><a href="//macos.telegram.org/">macOS</a></li>
        <li><a href="//telegram.org/dl/web">Web-browser</a></li>
      </ul>
    </div>
    <div class="footer_column footer_column_platform">
      <h5><a href="/">Platform</a></h5>
      <ul>
        <li><a href="/api">API</a></li>
        <li><a href="//translations.telegram.org/">Translations</a></li>
        <li><a href="//instantview.telegram.org/">Instant View</a></li>
      </ul>
    </div>
  </div>
  <div class="footer_columns_wrap footer_mobile">
    <div class="footer_column">
      <h5><a href="//telegram.org/faq">About</a></h5>
    </div>
    <div class="footer_column">
      <h5><a href="//telegram.org/blog">Blog</a></h5>
    </div>
    <div class="footer_column">
      <h5><a href="//telegram.org/apps">Apps</a></h5>
    </div>
    <div class="footer_column">
      <h5><a href="/">Platform</a></h5>
    </div>
    <div class="footer_column">
      <h5><a href="//telegram.org/press">Press</a></h5>
    </div>
  </div>
</div>
    </div>
    <script src="/js/main.js?47"></script>
    
    <script>backToTopInit("Go up");
removePreloadInit();
</script>
  </body>
</html>